Return-Path: X-Original-To: apmail-incubator-cloudstack-users-archive@minotaur.apache.org Delivered-To: apmail-incubator-cloudstack-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 79FD6920D for ; Fri, 15 Jun 2012 17:00:34 +0000 (UTC) Received: (qmail 6246 invoked by uid 500); 15 Jun 2012 17:00:34 -0000 Delivered-To: apmail-incubator-cloudstack-users-archive@incubator.apache.org Received: (qmail 6181 invoked by uid 500); 15 Jun 2012 17:00:34 -0000 Mailing-List: contact cloudstack-users-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: cloudstack-users@incubator.apache.org Delivered-To: mailing list cloudstack-users@incubator.apache.org Received: (qmail 6156 invoked by uid 99); 15 Jun 2012 17:00:34 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Jun 2012 17:00:34 +0000 X-ASF-Spam-Status: No, hits=-5.0 required=5.0 tests=RCVD_IN_DNSWL_HI,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of will.chan@citrix.com designates 66.165.176.89 as permitted sender) Received: from [66.165.176.89] (HELO SMTP.CITRIX.COM) (66.165.176.89) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Jun 2012 17:00:26 +0000 X-IronPort-AV: E=Sophos;i="4.75,779,1330923600"; d="scan'208";a="28253857" Received: from sjcpmailmx02.citrite.net ([10.216.14.75]) by FTLPIPO01.CITRIX.COM with ESMTP/TLS/RC4-MD5; 15 Jun 2012 13:00:04 -0400 Received: from SJCPMAILBOX01.citrite.net ([10.216.4.73]) by SJCPMAILMX02.citrite.net ([10.216.14.75]) with mapi; Fri, 15 Jun 2012 10:00:03 -0700 From: Will Chan To: "cloudstack-dev@incubator.apache.org" , "'cloudstack-users@incubator.apache.org'" Date: Fri, 15 Jun 2012 10:00:00 -0700 Subject: RE: Construct / change role permissions Thread-Topic: Construct / change role permissions Thread-Index: AQHNSs0TJyuFq6ePCkWfosBYGQqEMJb8CHsA//+OpNCAAAPDQA== Message-ID: <61AE1E2837A06D4A8E98B796183842D401292E779E7E@SJCPMAILBOX01.citrite.net> References: <61AE1E2837A06D4A8E98B796183842D401292E779E6A@SJCPMAILBOX01.citrite.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 That could be a bug. As far as I know domain-admins should be limited as w= ell. =20 Will > -----Original Message----- > From: Clayton Weise [mailto:cweise@iswest.net] > Sent: Friday, June 15, 2012 9:50 AM > To: 'cloudstack-dev@incubator.apache.org'; 'cloudstack- > users@incubator.apache.org' > Subject: RE: Construct / change role permissions >=20 > With regard to the subject of roles. I've noticed that domain admins do = not > have limits enforced. So if a domain is limited to 10 snapshots, a domai= n admin > can create 11. And because limits cannot be imposed, as far as we're > concerned, this type of user is pretty much useless because we have no wa= y to > control what it can do. Is this by design? And if so, why and is there = a way it can > be changed so that domain admins can have limits enforced? >=20 > Thanks, > Clayton >=20 > >-----Original Message----- > >From: Will Chan [mailto:will.chan@citrix.com] > >Sent: Friday, June 15, 2012 9:32 AM > >To: cloudstack-dev@incubator.apache.org; > >cloudstack-users@incubator.apache.org > >Subject: RE: Construct / change role permissions > > > >You are correct that Cloudstack has created essentially three static rol= es today. > The most you can do today is to allow/disallow API commands to each role = via > the commands.properties file. > > > >It has been something that has been requested many times before, however= , > most production systems that go live on CloudStack typically are fronted = by > some type of "portal." These portals are the ones that decide permission= s for > each user type. Essentially, it's the user role that require a bit more = flexibility as > the other two roles are pretty standard. > > > >I do know that Citrix is working on contributing back some refactoring w= ork on > the domain and user ACL checklist so you might want to wait for that firs= t. > > > >Will > > > >> -----Original Message----- > >> From: Olga Smola [mailto:olya.smola@gmail.com] > >> Sent: Friday, June 15, 2012 1:02 AM > >> To: cloudstack-dev@incubator.apache.org; cloudstack- > >> users@incubator.apache.org > >> Subject: Construct / change role permissions > >> > >> Hi, > >> > >> I would like to discuss CloudStack roles capabilities. As far as I > >> understand, there are 3 distinct roles and there is no possibility to = change any > role permissions. > >> Sometimes it's not so comfortable for situation when it is needed to > >> allow some action from one role to another one. For example, if you > >> would like to allow USER new action "Add account", you can't. Because > >> there is no API command for USER. What about new roles? > >> Have you got any ideas how to extend the CloudStack mechanism of > >> roles creation? It will be more convenient if there is something that > >> allow to create custom roles with needed permissions. For example, > >> give basic role ADMIN or USER and then create new role based on it, ch= ange > permissions(remove, add). > >> Something like Role's constructor. > >> Also I would like to know if somebody else needs similar extension? > >> > >> Fill free to write any ideas. > >> > >> Thanks a lot, > >> Olga